Dear Board: Ireland Just Decided How AI Will Be Policed — And You Should Read This Before August 2026
Paul C Dwyer

There is a piece of legislation moving through Leinster House right now that most business leaders in this country have not read, will not read, and will nonetheless be governed by within weeks. I want to walk you through it in plain terms, because the detail matters, and because the gap between how this Bill is being presented and what it actually changes is wide enough to drive a strategy through.
Let me start with the part you already half-know.
The EU AI Act, in the only terms that matter to you
You have heard of the EU AI Act. You may have filed it mentally alongside GDPR — another Brussels regulation, another compliance cost, something for the legal team. That instinct is half right and half dangerous.
Here is what it actually is. The AI Act is the world's first comprehensive law governing artificial intelligence, and it sorts AI systems by risk. A small number of uses are simply banned — social scoring, certain kinds of biometric surveillance, manipulative systems. A larger category is labelled "high-risk": AI used in recruitment, in deciding who gets promoted or let go, in worker monitoring, in credit decisions, in medical devices, in essential services. If your organisation uses AI to screen CVs, score loan applications, monitor staff, or triage customers, you are very likely operating high-risk systems whether you have called them that or not.
The Act does not care whether you built the AI or bought it off the shelf. If you deploy it in the EU, you carry obligations. And the penalties are not theoretical: breaches of the banned-practice rules can reach €35 million or 7% of global annual worldwide turnover, whichever is higher. That is GDPR-scale exposure, attached to a technology your organisation is probably adopting faster than it is governing.
"But didn't they delay it?"
The most consequential high-risk obligations for standalone systems moved from August 2026 to December 2027; high-risk AI embedded in regulated products moved to August 2028. If you only heard the headline "the EU delayed the AI Act," that is the bit you heard.
Who pushed for the delay — and why it should sharpen your attention, not relax it

It is worth being clear-eyed about how the delay happened, because it tells you something about the environment your governance now operates in.
The Digital Omnibus did not emerge from a sudden burst of European self-doubt. There was considerable geopolitical pressure on the EU to reduce the regulatory burden on technology companies, and the Commission proposed the Omnibus in November 2025 in response.
Analysts tracking the lobbying have been blunter still: they describe Big Tech's fingerprints across the proposals, assisted by the Trump administration. One outlet went so far as to say that Washington was now setting the pace on deregulation in Europe.
I raise this not to score a political point. I raise it because the lesson for any board is the opposite of "we can ease off." When the rules themselves are being bent by the largest and most resourced players in the market, the organisations left exposed are the ordinary ones — the Irish employer, the credit union, the mid-sized financial firm, the hospital group — who do not have a lobbying budget and who will be held to whatever the final framework says. The giants negotiate the weather. You still have to live in it.
Now to Ireland — and the part that disappoints me
Here is where it comes home. A European regulation tells you what the rules are. But who enforces them in Ireland, how well-resourced that enforcer is, and whether anyone is watching the gaps between regulators — those are national choices. And Ireland has just made them, in the Regulation of Artificial Intelligence Bill 2026, published last week.
I have read it. My honest reaction is disappointment.
Four months ago, the Government's own draft blueprint — the General Scheme — positioned a new national AI Office as a market surveillance authority. In plain terms, that is the body with teeth: the one that can investigate, inspect, and ultimately sanction. The published Bill steps back from that posture. The AI Office of Ireland that emerges will coordinate, convene, and advise. It will maintain the national register of high-risk systems and serious incidents, it will triage complaints, it will lend technical expertise to other regulators. What it will not do, on its own authority, is investigate, inspect, or fine.
Instead, Ireland has chosen what is called a distributed model.
Supervision is parcelled out to the existing sectoral regulators, each absorbing AI into its current remit: the Central Bank for financial-services AI, the Health Products Regulatory Authority for medical devices, Coimisiún na Meán for online platforms, the Data Protection Commission for biometric and data-driven systems.
The AI Office becomes, in effect, a switchboard connecting them.
I want to be fair to this design, because it is not without logic. The regulators who already understand finance, health, and media are arguably best placed to understand AI risk within those worlds. Coordination has real value. But fairness cuts both ways, and there are two questions every board member in this country should be asking.

Question one: who watches the gaps?
AI does not respect a regulator's organisation chart. A hiring tool that scores candidates, infers health conditions, and feeds a financial decision touches employment, data protection, and financial regulation all at once. In a distributed model, the risk is not that any single regulator fails — it is that the genuinely novel, cross-cutting harms fall into the space between them, where no one has clear ownership and the central body has no power to step in.
There is also a legal tension I will flag plainly, and which I expect to be tested in the parliamentary debates. The AI Act requires that a country's single point of contact with Brussels must itself be a market surveillance authority — a body with enforcement standing. The Bill makes Ireland's AI Office that single point of contact. How those two facts are reconciled in the final wording is not a lawyer's footnote; it goes to whether the central institution has any real standing at all. Watch that clause.
The timing makes all of this louder
We are stepping onto the European stage as a host while, at home, building a quieter enforcement machine than our own draft once promised. The optics and the substance are pulling in different directions, and astute observers across Europe will notice.
Question two: who pays for it?
This is the one that should concern you most, because it is the one most likely to determine whether any of this works in practice.
A distributed model only functions if every regulator in the chain is resourced to take on one of the most complex technologies in human history on top of its existing job. The General Scheme had floated a funding levy so those regulators could recover the cost of their expanded mandate. As the Bill stands, I am reading the final text very closely to see whether that cost-recovery mechanism survives intact — because if regulators are asked to supervise AI from existing budgets, with no dedicated funding, then "distributed supervision" risks becoming distributed under-supervision.
For you, that is not an abstraction. Under-resourced regulators produce two equally bad outcomes: long periods of apparent inaction that lull organisations into complacency, followed by sudden, uneven enforcement when something goes wrong and a regulator needs to be seen to act. Neither is an environment you can plan around. Predictable enforcement is a gift to good governance. Unpredictable enforcement is a tax on it.

So what should your board actually do?
Let me leave the commentary aside and be useful. Regardless of how the parliamentary debates resolve the questions above, here is what is squarely within your control:
Find your AI before the regulator does. The hardest part of compliance is not paperwork — it is knowing every AI system in your organisation, built or bought, and which risk category each falls into. Start that inventory now. It does not get easier by waiting.
Treat August 2026 as live, not deferred. The transparency and disclosure obligations are arriving on the original schedule. If you deploy customer-facing AI, you have weeks, not years.
Put AI on the board agenda as a governance item, not an IT item. The accountability for high-risk AI sits with the organisation deploying it. That is a board-level responsibility, and "the vendor handles it" is not a defence that survives contact with a regulator.
Decide who your regulator is — and build the relationship. Under the distributed model, your AI oversight will likely come through whichever sectoral authority already governs you. Know who that is. Engage early.
Watch the funding question. When the Bill is debated, the levy and resourcing provisions will tell you more about real-world enforcement intensity than any ministerial press release.
I wanted Ireland to swing for the fences here. With our concentration of global technology companies, our incoming Presidency, and our stated ambition to be a centre of excellence for trustworthy AI, we had both the standing and the reason to build something genuinely ambitious. I am not yet convinced we did. The parliamentary debates will tell us a great deal — and for once, this is a legislative process worth every board's attention.
Digital resilience is no longer the IT department's problem. It is now, unambiguously, yours.
HEAD OFFICE
-
ICTTF Ltd
ICTTF House
First Floor Unit 15
N17 Business Park
Tuam, Co Galway
H54 H1K2 -
info@icttf.org
support@icttf.org -
+353 (0)1 905 3263


